Ask Ars takes a look at the best practices for using a password-keeping …

Share this story

Ask Ars was one of the first features of the newly born Ars Technica back in 1998. And now, as then, it's all about your questions and our community's answers. Each week, we'll dig into our bag of questions, answer a few based on our own know-how, and then we'll turn to the community for your take. To submit your own question, see our helpful tips page.

Question: What are the best practices when using a password-keeping service, and what are the merits and disadvantages of local vs. cloud-based password storage?

With every website requiring users to register a password-protected account to see its content, password management systems have become very popular. We probably don't need to tell you that one of the most popular strategies for managing passwords—using the same password for every account—is a terrible thing to do.

Because of this, password-keeping programs have been making gains, but using one can be dangerous to your privacy if done incorrectly There are certain features and practices that will keep your logins more secure, so we'll go through a few different services and things you can do to crank up the security.

Most password keepers work by allowing you to store your login information, either locally or in cloud storage, and most also include a password generation feature that will create long strings of gibberish for you to use and then store. That information is encrypted, and then can be accessed by a master password that you set.

Already, there are some considerations here. All your passwords on different sites are like an anarchic society: unorganized, somewhat difficult to ruffle at once because they are unrelated (or they should be... that reminds us, again, don't use the same password for everything). Using a password-keeping service is like introducing a societal leader, your master password: everything is more organized and hierarchical, but someone only has to kill the emperor/shah/king to make the whole arrangement fall apart.

Therefore, step one of good password-keeper-using practices is "use a beastly master password," whether your keeper is in the cloud or on your computer. You probably can't fit an essay into that field, but if you could, we'd advise it. Short of that, make it long and completely nonsensical. Using an easy master password for your password keeper is like giving a chair to a security guard, and we've seen how that turns out.

The next issue that bears discussing is which storage is more secure: passwords stored on your computer, or in the cloud? On the one hand, you have complete control over the encryption of login data stored locally. If you wanted, you could make a hundred nested TrueCrypt volumes, each with three layers of 256-bit AES encryption, and save your passwords inside. This is unreasonable from a convenience standpoint, but if that's all that makes you feel safe we'd hardly stand in your way.

Most cloud storage services use one layer of 256-bit AES encryption. It's worth noting that even if someone stole your data from those servers, even with a ridiculous amount of computing power, it would take longer than the universe is old to crack the encryption; therefore, someone who wants at your data is far more likely to go after the password itself.

Still, it would take thousands of years to crack an 8-character password when checking both small and capital letters, spaces, and numbers. That's on a low-power computer, but the time it takes to crack a string of characters goes up exponentially the more characters you use. So again, use a long password and you can foil even the Watsons of today for long enough that you would probably decide on a whim to change your password before the password is solved.

Some cloud storage keepers have been making impressive showings in secondary features that can add an extra layer of security. For example, LastPass offers grid multifactor authentication, which requires you to print out a physical chart of numbers and letters and then enter corresponding digits along with your master password when you log in. Without the physical chart to reference, no one can log in.

Cloud password storage makes us a little nervous in that anyone anywhere can just start trying master logins. If this makes you uncomfortable, don't use it, or enable some of the physical multifactor authentication features like the grid authentication fingerprint scanning (separate dongle required). Of course, website logins in general have this problem, which is why it's a good idea to use the profferred generators in keeper programs to prevent someone from just guessing your password.

The convenience of cloud storage may be worth it to you, but there are ways to make locally stored password keepers more available, too—for example, putting KeePass or 1Password data on a thumb drive or in a Dropbox. If it's in a Dropbox, again, long, frequently changed passwords are your friends, as you are providing another point of access to your data.

Whichever way you choose to go, all your intricate-master-password-making can be for naught if you neglect practical considerations. It helps to set the service to log you out after a short time, do regular virus scans to keep out keyloggers and other data-harvesting viruses, and be extra careful on open networks. If possible, don't do any logging in to anything on them, especially not into your goldmine of a password keeping service.

If you must use your keeper on an open network, any keeper worth using will offer you a virtual keyboard option to enter your master password in case you are using a computer that may have been compromised or is being watched.

In my personal experience, the first big downside I ever discovered to password keepers was that they made it remarkably hard to use any account-based website from a smartphone. If this is something you need to be able to do, many big-name local storage programs like 1Password offer syncing through a (moderately expensive) app; a premium account with LastPass at $1 per month gets you access to iPhone and Android apps, plus service on a bevy of third-party browsers. Again, be wary of open networks.

After all these considerations, it may seem like it's OK to keep the same passwords forever, but it's still not advisable. The actual holders of your account, the websites themselves, may be storing your login information in plain text files and practically flying them from a flagpole on their back-end for all you know. So if you are using a password keeper, take advantage of never having to memorize a separate password for each site, and generate new ones frequently. This sounds like a pain, but it's just good Internet hygiene.

Share this story

Casey Johnston
Casey Johnston is the former Culture Editor at Ars Technica, and now does the occasional freelance story. She graduated from Columbia University with a degree in Applied Physics. Twitter@caseyjohnston

Re-using password strategies for each site is usually okay, provided you follow best practices:

(1) make it a long/strong password that isn't likely to be brute forced/on some sort of rainbow table(2) have a site-specific salt that you put on the very end of your password. Make it some kind of systematic generation that's easy to do, like capitalizing the first letter of the site name and replacing vowels with symbols/leet speak. (ie. password$r5t3chn1c4 is practically unbreakable).

A +1 for YOUR MIND. I have 3 sets - work, home and tossaway. I change my complex passwords every 4 weeks. All are different (work is complex, home is complex, tossaway is simple) and never related to each other. I pick a random word (8 letters min), random letter / number substitutions and type them about 50 times into notepad to memorize them for work / home. Tossaway is that - tossaway, for random sites where I "have" to register for something (like driverguide, etc).

Everything is organized into these categories, and the passwords match. I also have the account names for sites "saved" in my browser, and a list of those in email, so that I rarely have to type both account name and password to minimize my "attack surface". I also only use "clean" machines that I *trust*. Honestly, I am never in need to post / read anything badly enough to risk using a potentially compromised public machine at a library, etc.

Work passwords that are shared in our organization are organized in public folders with only our team having access, so that takes care of itself.

Considering the long term reliability of this method and ability to store large numbers of complex passwords, I would highly recommend against it. You're better off with the ol' sticky note than making every password something you can remember.

Really curious about LastPass now. My last voyage into setting up a unified password system resulted in an obscenely difficult to remember password that I promptly forgot, after converting a bunch of passwords over to that system (fortunately, not very many). Since then I used an easier to remember but long as hell gmail password and kept a lot of passwords stored in there, which isn't really optimal either. The only thing that worries me is how useful the whole thing is if LastPass ever bites the dust, am I going to spend 3 weeks pulling out passwords and sticking them into a new system?

FuKNGRuVN wrote:

A +1 for YOUR MIND. I have 3 sets - work, home and tossaway. I change my complex passwords every 4 weeks. All are different (work is complex, home is complex, tossaway is simple) and never related to each other. I pick a random word (8 letters min), random letter / number substitutions and type them about 50 times into notepad to memorize them for work / home. Tossaway is that - tossaway, for random sites where I "have" to register for something (like driverguide, etc).

Everything is organized into these categories, and the passwords match. I also have the account names for sites "saved" in my browser, and a list of those in email, so that I rarely have to type both account name and password to minimize my "attack surface". I also only use "clean" machines that I *trust*. Honestly, I am never in need to post / read anything badly enough to risk using a potentially compromised public machine at a library, etc.

Work passwords that are shared in our organization are organized in public folders with only our team having access, so that takes care of itself.

The last place I'm going to put "all my keys" is the cloud.

Seriously, it's not that hard.

This was great for me, right up until my throwaway password was exposed. I traced through a whole lot of places I'd used it (easiest way to find most sites I used it on was to search gmail for my password, so many sites email it to you these days), but I'm still coming across it a while later. There was a substantial amount of information available with it and my email address (although the worst of it was my own fault, I'd set up a paypal account using that password and used it on an online store that apparently stored my credit card info for ease of use. All someone needed was the 3 digit security code off my credit card to go on a buying spree).

On the other hand, if I had a managed system, it'd be one password changed in a second if it was compromised. If you manage KeyPass yourself, then the only person who could ever leak even the most meaningless passwords is yourself.

Use themes or phrases, tiered for importance or how trustworthy the site.

At most you'd need to remember 3-4 passwords or themes.

The whole 1-password per site is ridiculous.

This is all well and good for most web users, but if you're any sort of IT administrator (e.g. Web/Sys/Network administrator) you really do need one password per system. And possibly, depending on how your setup handles authentication, more than one person to know the password. This looks attractive to me, because I'm getting to the point where I really need to have more passwords than I can easily remember, without re-using things.

Take a few randomly generated passwords and commit them to memory. Use combinations of these passwords on different sites. So one site could be q1234z! and another could be q4321z! and then you can combine them into q1234z!q4321z! for a third and q4321z!q1234z! for a fourth. If you're feeling really creative, combine smaller passwords and tack on an extra character or two.

LastPass has robust support for export and import of passwords, so you shouldn't be too concerned about lock-in. You can always migrate over to KeePass. Anyway, the LastPass database is stored locally and synced to the cloud, so it can be opened even if the LastPass servers are not there anymore. I have been using LastPass for a while now and I cannot speak highly enough of it. It supports just about every platform imaginable, and has every feature I could ever want.

I've been using Locknote for years. It's like a text file with a built-in executable that acts exactly like Notepad, and encrypts itself with AES 256bit. It's not so portable, unless you keep it on thumb drive and plug it into Windows computers, but I'm usually using my one computer.

I have a horrible confession. I have been using the same password on ebay for 14 years. I really should change it some time.

Please do. EBay is the first (and only) site on which my password has been compromised. Once that happened, I began getting VERY serious about passwords == 1Password for personal use (LOVE the iPhone app!) and KeePass for work (because it's Windows).

I like the theory of storing passwords in my brain, but I know I am too lazy to change them as frequently as needed and too forgetful to keep everything straight if I do change them regularly. Plus being a sysadmin, that's just not a good practice.

I second keepass/keepassx/keepassdroid. The same encrypted database - which you can keep on dropbox for automatic sync - provides access across platforms. Two-factor authentication (I use a 2K key on a thumbdrive and a password). It works great in Linux and on my Android tablet as well.

That depends. The simplest way to remember it is to basically replicate what the (properly set up) password servers do: throw some random hash stuff in with your password.

Let's say you are fan of kitties, and were born in 1987

Take the first letter (1) of the website you're on as a capital, then add yay! then add the 9th (9) letter of the website, then "kitties!" then the 8th letter (8), then "wub" then the 7th letter (7), then "dem" then put the total number of consonants and then the total number of vowels in the website url as your numbers.

so you end up with your password as: (1)yay!(9)kitties!(8)wub(7)dem##

So, far Ars, you'd have Ayay!Ikitties!NwubHdem47

As long as you use a default bit of "base" with the same "cruft" on each website, you can remember "how" to get your password without actually knowing it, just by going to the website and figuring it out.

Keep your methodology the same for every site, and you'll end up with a long, safe password that's easy to change. At the 3 month mark, change the base, 3 months later, change your hash. I still agree that storing your stuff with a web service is simpler in the long run, but the problem is that you become reliant on it to make your passwords and if you end up on a shared device, you might not have access to your stuff easily. Better (in my opinion) to create strong passwords off of a system and then store them in a service if you want (I personally use fingerprint authentication for everything I do on my laptop as well)

EDIT: And no, this is not my actual birth year or cruft...as far as you know.

It would be nice to see an article like this answer some of the real questions about these password storage programs. Do they encrypt their databases? How? If someone steals your database and doesn't know your key, how much information does it leak about you? (That'd seem to be key in an article so friendly to storing this stuff in the cloud.) For those that do encrypt their databases, how do they generate their keys from your password? Just a hash? HMAC? A real, standard PBKDF? (the only right answer...) How many rounds?

Do these programs autofill passwords without your intervention? (that'd be bad, btw.) Can their browser extensions be scripted from web pages?

Can you export your passwords from one to another if you want to change later?

What kind of password management do they offer? Can you query based on password strength/reuse? Can they remind you to change a site's password? Can the generators be configured for "memorable" random passwords?

How would the "virtual keyboard" thing be safe from anything that has malware more sophisticated than a basic keylogger?

This feels like an uninformative treatment of an important subject, especially when you hold it next to some of the in depth gadget reviews you see on this site. I'm disappointed.

LastPass has robust support for export and import of passwords, so you shouldn't be too concerned about lock-in. You can always migrate over to KeePass. Anyway, the LastPass database is stored locally and synced to the cloud, so it can be opened even if the LastPass servers are not there anymore. I have been using LastPass for a while now and I cannot speak highly enough of it. It supports just about every platform imaginable, and has every feature I could ever want.

I just started using LastPass about a month ago and so far I like it. The one thing that wasn't mentioned here is that it lets you create one time passwords that are good for exactly one login. So I created about 5 and stuck them on a card in my wallet (they are 48 character strings) so I can login from work or other places where I might not trust local security.

For years I had a "system" and kept my passwords in my head, but that just got way too unwieldy. I was having to try all kinds of combination before I found the one I actually used. Now I use KeePass + Dropbox and my passwords are more secure, and I don't have to remember them (or the usernames) at all.

Petard, all of those are things easily found on the application's sites. KeePass can do all of that, of course the databases are encrypted, and it doesn't even leave the passwords in memory for more than ten seconds if you copy to the clipboard.

I don't know, I keep it simple: KeepPass with the .kdb stored in dropbox and the key file stored on a usbdrive (with a backup stored on another usb device). I'm not sure if it's possible to open the database w/o the key file no matter what super machine and software you have to crack the password. No key file, no open, right?

In your head. +10000.The only passwords you need are:- 1 as the master for each "zone" (>16chars, strong) - 3-4 for non-critical access (8 chars, pronounceable, changed often, and based on the same pattern for each time period) - as many as you want dictionary-based tossaways, that you can let your browser remember for you.

Even if you are IT (unless you manage 10s of "zones") that amounts to a couple dozens password, and only a few that are hard to remember.

And... there is a trick for strong passwords that are easily remembered: base them on the letters of a song.For instance, the 3rd and 7th letter of each verse, or something like that.

I second keepass/keepassx/keepassdroid. The same encrypted database - which you can keep on dropbox for automatic sync - provides access across platforms. Two-factor authentication (I use a 2K key on a thumbdrive and a password). It works great in Linux and on my Android tablet as well.

That, or a password generator system, e.g.:* Take a strange, unusual 10-letter word, and capitalize two letters: ichtyOsauR* Change 1st and last letter of site into numbers: Gmail == 07 & 12* Change 2nd letter of site into a modulo-10 numbers: m == 3* Insert the numbers into the 3rd slot and the last, capitalize the 4th letter: ich07TyOsauR12

For more sensitive passwords (e.g., master password of the company website), I'll use something much more complex, e.g.:* Choose the name of a great WWII leader, and do some capitalization: WinStonChurChill* Embed the year in the month's position: Win2011StonChurChill* Insert punctuation based on month modulo-6: Win2011StonChurCh#ill

The problem I face with such systems:* Sometimes websites balked at the use of 'exotic' punctuations* Sometimes (like the winston churchill password) the password gets too long and the password field is just not wide enough

So, on websites with one or both limitations, if the site's 'essential' enough, I'll just generate a random, alphanumeric+(whatever punctuations allowed) password the length of the password field. And store it in KeePass.

Petard, all of those are things easily found on the application's sites. KeePass can do all of that, of course the databases are encrypted, and it doesn't even leave the passwords in memory for more than ten seconds if you copy to the clipboard.

Everything in the article is easily found on the applications' sites. Except, of course, for the silly shit about the layers and layers of truecrypt volumes.

Some of the questions I asked are not. For example, look at the site for Keepass, your tool of choice. Now tell me how the key that the product uses for "the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases" is derived. Can you do so using only information from their site? I couldn't. And that's very important to the security of their product. It would have been a nice bit of research for an article such as this... just sayin'

I change them regularly. When I come up with new passwords, I write them down. If, after a week, I haven't looked one up, the paper gets shredded. But passwords get updated on a graduated schedule: email one month, banking the next, websites the next, etc. I have some throw-away passwords for some sites.

I've played around with LastPass and I like the convenience of it. But I'll probably end up getting rid of it. I can see a situation where I need to login at a computer I don't normally use, without access to LastPass (or some other password program), and then just be stuck because of not remembering the password.

After I read the Ars anonymous / HB Gary series of stories I became extremely worried about my horrible password practices. I bought 1Password & the iPhone app right after that and instantly generated new passwords for everything. It is really fantastic with Dropbox.

All good ideas, however I find the easiest way to store passwords is on the 'net itself.

Example: create a unique user name (simple), then, for the password, find a product on Newegg or hot car/bike you really drool for. Next, copy part or all of the URL, and bookmark it. Use the URL for your password.

If you keep your tiers as bookmark folders and bookmarks, then all you really need is an assocaition (in YOUR MIND) with sites-to-URLs... and a method to sync bookmarks and folders across all your devices.

Here is an example of a password I used for a throwaway site:wegg.com/Product/ProductList.aspx?Submit=ENE&DEPA=0&Order=BESTMATCH&Description=gtx+580

Numbers? check.Symbols? check.Upper and lower case letters? check.Lengthy "gibberish"? check.Easy to remember and no way associated with me? check.Software downloaded to entrust all my 'net profiles and secrets? NONE!

which generates nice long mixed-case passwords for each site to ensure that if one password is determined (perhaps if some site stores them plaintext or something equally stupid), the rest of my passwords won't be affected.

I guess it might be different if I had a job that required lots of different passwords but I generally remember passwords to websites I visit regularly and forget those I don't.All websites send an email if you forget your password, these days. So I just need a strong but memorable password for the email (and one for the computer).

KeePass + Sugarsync + KeePassDroid (SugarSync is a dropbox alternative that had an Adroid app first). Works great for me and my smartphone. KeyPassDroid and Sugarsync are great compliments to my Andoid phone. Also use KeyPassX on my Linux machines.

I don't see the need for such a strong master password - the chances of it being cracked are almost none, as long as you use something reasonably strong - 12 to 16 alphanumeric with symbols which is easy enough to remember by muscle memory.

The reason I say this is because the most likely vector of a password compromise is a Trojan or key-logger - in which case it quite simply doesn't matter how strong your password is - they're going to get it anyways.

I operate an ISP, and we have seem many such situations over the last three years or so. In fact, the ONLY compromised passwords we've ever seen have been where the username was ridiculously simple, and the same as the password; or the customer had a trojan/keylogger. There were more trojan/keyloggers than stupid simple identical user/pass by probably a factor of 5.

Password paranoia and 'oh my god they can crack my password in a few seconds!' rhetoric is, at best, sensationalist journalism.

Brute forcing over the Internet is mind numbingly slow at best - even with excellent latency and assuming you won't be blocked for repeated failures, you can test at best 10 to 100 logins per second. To exhaust even the 6 character password space would take a ridiculously long period of time.

Look at it this way - if they can get to your shadow file, they probably can just put in a keylogger and get it that way, they don't need to go all rainbow-file on your encrypted password. Doubly so on Windows! If they can't get to those files, it's going to take so ridiculously long to brute force anything, that it just doesn't matter.

what I am looking for is a good multi client portable password manager. i use windows, linux, OS X, iphone, android, and who knows what else in the future.

now most of my passwords fall into 2 categories. forums, and bank detail sites.

Forums use the same password. i really don't care if someone can log on as me on ars as well as slashdot. Big deal the only thing in there is a name and email address anywayss.

everyone else gets unique passwords based on my physical world.

Currently every is stored on an encrypted volume, with the app, and data files there(along with a bunch of other stuff) I can live with this as one 452.5 mb file to back up. down side is the app is an old version and newer ones are unsuited to my current task. However I don't think i should have to buy 6 different versions of the same software just to use it everywhere i could use it. Last pass is interesting but I prefer to be in control of my data.

I used to simply have a master password, which got changed based upon requirements for special characters, etc. That was when I was a teen, and had no real data to protect, no job, etc.

I then tried to use a few layers of security: throwaway, personal, work.It was too hard to recall all of my passwords.I looked into using a password management software, but in the end I just used a simple scheme:Hashes.I made a simple little script that takes a some characters and hashes them. It also independently hashes a seed. Then it takes half of the each of resulting hashes, mashes them together, and hashes the result.Next it takes all the characters whose indice are prime numbers and makes that my password string. For Sha224 this results in an 18 character long string. Because all the characters are either lowercase letters or numbers (hexadecimal), I added a loop that changes all letters on an odd index to uppercase.Then I add or replace some special characters in for additional security if necessary.

This took about 5 minutes to do in python, and as long as my seed hash is secure, nobody can get my passwords. It also has the advantage of not storing any of the passwords on my machine, and can be readily duplicated on any machine with python. If I wanted to, I could make a webpage that accepted a seed and a plaintext so I could access this "in the cloud" as it were.

To find out my password for any given site, I just type python autopass.py arstechnica and then copypasta that in.

This is a great article for people who are curious about how to increase their security. I do have to question the usefulness of one recommendation, which is also 'standard' protocol almost everywhere: changing passwords often. Simply put, "Why?" What additional protection does that get you? Do you really think that if someone gets access to your account information that they'll sit on it for a week, month or more? No, they're going to use it immediately.

Let's say you change your password religiously every 30 days and it gets compromised at day 15, what good did changing your password do you for the past 15 days? Absolutely no good at all. Even if it gets compromised on day 30, your changing it the very next day most likely did not save you from being hacked yesterday.

For those with fancy memorization schemes, do you do all of that work for every website with an account? Obviously I'm careful with financial sites and email, but for news websites like ars or game portals, etc I just write them down. I guess KeePass is just an automated version, but I'm too paranoid to keep all my secrets in one digital place.

This is a great article for people who are curious about how to increase their security. I do have to question the usefulness of one recommendation, which is also 'standard' protocol almost everywhere: changing passwords often. Simply put, "Why?" What additional protection does that get you? Do you really think that if someone gets access to your account information that they'll sit on it for a week, month or more? No, they're going to use it immediately.

Let's say you change your password religiously every 30 days and it gets compromised at day 15, what good did changing your password do you for the past 15 days? Absolutely no good at all. Even if it gets compromised on day 30, your changing it the very next day most likely did not save you from being hacked yesterday.

Okay, I think you're missing the point. It isn't because you're giving them less time to do stuff once they have the password, it's giving them less time to figure out the password, or for you to mess up and leave it written down somewhere. Let's say you're an ultra-important person. They want to crack your password, so the ubiquitous "they" try brute-forcing it using a Cray or similarly powerful supercomputer. Let's say it takes a year. If your password is > a year old, you're likely going to get compromised eventually. By changing your password every 30 days, the MAXIMUM time a person has to get your password is 30 days, which lessens the likelihood of it being compromised.

Also, more likely, it's to account for human nature. You write it down on a piece of paper and throw it away without shredding it. So someone has 30 days (at most) to find and exploit it. Or you tell someone your password (because humans are DUMB). Again, someone has a maximum of 30 days to get that information from another person before that password is useless. The shorter the time period between you resetting your password, the less time someone has to actually obtain that information before it becomes irrelevant.